VMware Takes Virtualization Discussions into Realm of PCI Compliance

VMware has joined the PCI Security Standards Council in a bid to get language dealing specifically with virtualization added to the Payment Card Industry Data Security Standard. The lack of guidance on the issue has been a challenge for retailers as adoption of virtual environments has grown, according to VMware.

The honeymoon may soon be over for any retailers that have not
extended attention to the Payment Card Industry Data Security
Standard to their virtual environments.
VMware announced today it has joined the PCI Security Standards
Council in a bid to include specifics related to virtualization into
the Payment Card Industry Data Security Standard (PCI DSS), as well as
spread awareness of how the technology can help enhance security
and compliance.

It's no secret that virtualization is spreading among businesses.
Despite its growth, however, there is still nothing in the PCI
standard that specifically mentions virtual hosts and networks. On
its own, VMware has sought to bridge that gap by disseminating
information through its VMware Compliance Center via whitepapers and
podcasts, which can be downloaded here.

The lack of guidance in the regulation itself has led to
confusion among merchants, explained Shekar Ayyar, vice president of
infrastructure alliances at VMware.
"When it comes to compliance-related domains, PCI being one of them,
it is still somewhat of a...gray area where there's not a whole lot of
understanding of what that is, whether it's from the standards council
standpoint or whether it is from the auditor's standpoint," he said.
"What we are looking to do is really...articulate more clearly what first
of all virtualization as an architecture and an infrastructure can
enable and how compliance auditors as well as rule-makers need to be
thinking about that."
He added that technologies VMware is working on can have a sharp influence on compliance and enforcement, such as the VMsafe API.
"So that's kind of the driving force behind doing this...their version
1.2 of the [regulation] for example still doesn't really talk about
virtualization, so the hope is that through closer engagement and by
working with them as part of the council we will be able to bring more
awareness to that as we go forward," Ayyar said.
As a member of the council, VMware will have access to the latest
payment card security standards from the council and be able to provide
feedback.
"The PCI Security Standards Council is committed to helping everyone
involved in the payment chain protect consumer payment data," said Bob
Russo, general manager of the PCI Security Standards Council, in a
statement. "By participating in the standards setting process, VMware
demonstrates it is playing an active part in this important end goal."